The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information.

Difference between revisions of "T1 Font Integer Overflow"

From The iPhone Wiki
Jump to: navigation, search
m (Sources: full link (same article))
m
 
(3 intermediate revisions by 3 users not shown)
Line 1: Line 1:
The '''T1 Font Integer Overflow''' (A.K.A '''DejaVu''' as it is very similar to the [[Malformed CFF Vulnerability]][https://twitter.com/comex/status/88208990789578752]) is a vulnerability used in [[Saffron]].
 +
The '''T1 Font Integer Overflow''' (a.k.a '''DejaVu''' as it is very similar to the [[Malformed CFF Vulnerability]][https://twitter.com/comex/status/88208990789578752]) is an exploit used in [[Saffron]].
   
== Credit for Exploitation ==
 +
== Credit ==
 
* [[User:comex|comex]]
  
* [[User:comex|comex]]
   
 
== Description ==
  
== Description ==
When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder‑>stack, which could be set to 0xfea50000 by charstring "fb ef". And this will bypass stack checking. Then "top ‑= arg_cnt" will make top point to data outside of decoder‑>stack. Actually it points to decoder‑>parse_callback. decoder‑>parse_callback address minus default address of that function to get ASLR offset. That's how it bypasses ASLR.
 +
When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder&#8209;>stack, which could be set to <code>0xfea50000</code> by charstring "fb ef". And this will bypass stack checking. Then "top&nbsp;&#8209;=&nbsp;arg_cnt" will make top point to data outside of decoder&#8209;>stack. Actually it points to decoder&#8209;>parse_callback. decoder&#8209;>parse_callback address minus default address of that function to get ASLR offset. That's how it bypasses ASLR.
   
This vulnerability was actually addressed by Apple in {{wp|Mac OS X Snow Leopard|Mac OS X v10.6.8}}/[http://support.apple.com/kb/HT4723 Security Update 2011-004], but a fix was never pushed to [[iOS]]. (Its CVE identifier is ''CVE-2011-0202''.)
 +
This vulnerability was actually addressed by Apple in [[wikipedia:Mac OS X Snow Leopard|OS X v10.6.8]] ([http://support.apple.com/kb/HT4723 Security Update 2011-004]), but a fix was never pushed to [[iOS]]. (CVE-2011-0202).
   
 
When Apple released iOS 4.2.9/4.3.4 to patch this vulnerability, it received a different CVE identifier (CVE-2011-0226).
  
When Apple released iOS 4.2.9/4.3.4 to patch this vulnerability, it received a different CVE identifier (CVE-2011-0226).
   
  +
== External Links ==
==Sources==
  
* Tweets from [https://twitter.com/windknown @windknown]: [https://twitter.com/windknown/status/88170553948651520][https://twitter.com/windknown/status/88171950886760448][https://twitter.com/windknown/status/88172830029651968][https://twitter.com/windknown/status/88173940391940096]
 +
* Tweets from <span class="plainlinks">@[https://twitter.com/windknown windknown]: [https://twitter.com/windknown/status/88170553948651520 1] [https://twitter.com/windknown/status/88171950886760448 2] [https://twitter.com/windknown/status/88172830029651968 3] [https://twitter.com/windknown/status/88173940391940096 4]</span>
* [http://support.apple.com/kb/HT4723 Apple KB]
 +
* [http://support.apple.com/kb/HT4723 KB HT4723]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0202
 +
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0202 CVE-2011-0202]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0226
 +
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0226 CVE-2011-0226]
* http://intrepidusgroup.com/insight/2011/07/reversing-jailbreakme-com-4/
 +
* [http://intrepidusgroup.com/insight/2011/07/reversing-jailbreakme-com-4/ Analasis by Intrepid US Group]
* http://esec-lab.sogeti.com/post/Analysis-of-the-jailbreakme-v3-font-exploit
 +
* [http://esec-lab.sogeti.com/post/Analysis-of-the-jailbreakme-v3-font-exploit Analasis by Sogeti ESEC Labs]
   
 
[[Category:Exploits]]
  
[[Category:Exploits]]

Latest revision as of 00:12, 10 October 2012

The T1 Font Integer Overflow (a.k.a DejaVu as it is very similar to the Malformed CFF Vulnerability[1]) is an exploit used in Saffron.

Credit

Description

When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder‑>stack, which could be set to 0xfea50000 by charstring "fb ef". And this will bypass stack checking. Then "top ‑= arg_cnt" will make top point to data outside of decoder‑>stack. Actually it points to decoder‑>parse_callback. decoder‑>parse_callback address minus default address of that function to get ASLR offset. That's how it bypasses ASLR.

This vulnerability was actually addressed by Apple in OS X v10.6.8 (Security Update 2011-004), but a fix was never pushed to iOS. (CVE-2011-0202).

When Apple released iOS 4.2.9/4.3.4 to patch this vulnerability, it received a different CVE identifier (CVE-2011-0226).

External Links

Retrieved from "https://www.theiphonewiki.com/w/index.php?title=T1_Font_Integer_Overflow&oldid=27102"